Protect delete_share with a CSRF token

2025-06-27 16:36:00 +00:00 · 2025-03-23 13:13:11 +01:00 · 2025-03-23 13:13:11 +01:00 · d1e128900a
commit d1e128900a
parent 0d8429dfc7
3 changed files with 22 additions and 7 deletions
--- a/src/Wallabag/CoreBundle/Controller/EntryController.php
+++ b/src/Wallabag/CoreBundle/Controller/EntryController.php
@ -570,12 +570,16 @@ class EntryController extends AbstractController
    /**
     * Disable public sharing for an entry.
     *
-     * @Route("/share/delete/{id}", requirements={"id" = "\d+"}, name="delete_share")
+     * @Route("/share/delete/{id}", name="delete_share", methods={"POST"}, requirements={"id" = "\d+"})
     *
     * @return Response
     */
-    public function deleteShareAction(Entry $entry)
+    public function deleteShareAction(Request $request, Entry $entry)
    {
+        if (!$this->isCsrfTokenValid('delete-share', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
        $this->checkUserAction($entry);

        $entry->cleanUid();
--- a/src/Wallabag/CoreBundle/Resources/views/Entry/entry.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Entry/entry.html.twig
@ -168,9 +168,13 @@
                            </form>
                        </li>
                        <li>
-                            <a href="{{ path('delete_share', {'id': entry.id}) }}" title="{{ 'entry.view.left_menu.delete_public_link'|trans }}" class="tool icon-no-eye">
-                                <span>{{ 'entry.view.left_menu.delete_public_link'|trans }}</span>
-                            </a>
+                            <form action="{{ path('delete_share', {'id': entry.id}) }}" method="post">
+                                <input type="hidden" name="token" value="{{ csrf_token('delete-share') }}"/>
+
+                                <button type="submit" class="btn-link tool icon-no-eye" title="{{ 'entry.view.left_menu.delete_public_link'|trans }}">
+                                    <span>{{ 'entry.view.left_menu.delete_public_link'|trans }}</span>
+                                </button>
+                            </form>
                        </li>
                    {% endif %}
                    {% if craue_setting('share_twitter') %}
--- a/tests/Wallabag/CoreBundle/Controller/EntryControllerTest.php
+++ b/tests/Wallabag/CoreBundle/Controller/EntryControllerTest.php
@ -1185,12 +1185,19 @@ class EntryControllerTest extends WallabagCoreTestCase
        $this->assertSame(404, $client->getResponse()->getStatusCode());

        // removing the share
-        $client->request('GET', '/share/delete/' . $content->getId());
+        $client->getContainer()->get(Config::class)->set('share_public', 1);
+        $this->logInAs('admin');
+        $crawler = $client->request('GET', '/view/' . $content->getId());
+
+        $client->submit($crawler->filter('.left-bar')->selectButton('entry.view.left_menu.delete_public_link')->form());
+
        $this->assertSame(302, $client->getResponse()->getStatusCode());

-        // share is now disable
+        // share is now removed
        $client->request('GET', '/share/' . $content->getUid());
        $this->assertSame(404, $client->getResponse()->getStatusCode());
+
+        $client->getContainer()->get(Config::class)->set('share_public', 0);
    }

    /**